Operator Bloopers Cobalt Strike Modules

Detects Cobalt Strike module/commands accidentally entered in CMD shell

Sigma rule (View on GitHub)

 1title: Operator Bloopers Cobalt Strike Modules
 2id: 4f154fb6-27d1-4813-a759-78b93e0b9c48
 3related:
 4    - id: 647c7b9e-d784-4fda-b9a0-45c565a7b729
 5      type: similar
 6status: test
 7description: Detects Cobalt Strike module/commands accidentally entered in CMD shell
 8references:
 9    - https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf
10    - https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/
11    - https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/
12author: _pete_0, TheDFIRReport
13date: 2022-05-06
14modified: 2023-01-30
15tags:
16    - attack.execution
17    - attack.t1059.003
18logsource:
19    category: process_creation
20    product: windows
21detection:
22    selection_img:
23        - OriginalFileName: 'Cmd.Exe'
24        - Image|endswith: '\cmd.exe'
25    selection_cli:
26        CommandLine|contains:
27            - 'Invoke-UserHunter'
28            - 'Invoke-ShareFinder'
29            - 'Invoke-Kerberoast'
30            - 'Invoke-SMBAutoBrute'
31            - 'Invoke-Nightmare'
32            - 'zerologon'
33            - 'av_query'
34    condition: all of selection_*
35falsepositives:
36    - Unknown
37level: high

References

Related rules

to-top